Risk management more of a priority, but some weaknesses remain: FERMA

Despite moves by European companies to prioritize risk management as never before, some weaknesses remain, suggest findings of a new survey exploring risk management leadership released Thursday by the Federation of European Risk Management Associations (FERMA).

The survey Leadership in Risk Management – sponsored by Zurich and conducted by Harvard Business Review Analytic Services in January and February – involved input from 220 risk managers from FERMA and the public sector associations PRIMO.

Survey findings suggest that direct responsibility for risk management falls to a chief risk officer (CRO) or risk manager at 35% of polled organizations, either the CEO or the chief financial officer/treasurer at 27% of surveyed organizations, and the board itself at 14% of organizations polled.

The risk categories that respondents ranked as of greatest concern were as follows: strategic, 63%; financial, 55%; IT/data privacy, 44%; legal and regulatory compliance, 44%; brand/reputation, 42%; market/competition, 42%; technology, 41%; systemic, 37%; political/geopolitical, 35%; workforce, 33%; natural disasters, 20%; and terrorism/violence, 10%, notes a statement from FERMA, which brings together 22 national risk management associations in 20 European countries.

“In their responses, more than 200 executives at major European organizations emphasize how top management and the board are increasingly setting direction and taking tighter control of risk management, integrating it with overall company strategy and embedding it deeper into corporate culture,” FERMA reports.

Roughly half of companies surveyed reported their risk management process is closely or very closely aligned with overall strategy and budget. That said, there has been less progress at bringing the risk function’s resources to bear on transformative business projects, such as mergers, acquisitions and divestments, the statement notes.

Asked if the risk function has “a seat at the table” during strategy setting, project launches ad investment and other business decisions, 41.0% of respondents said yes, 16.6% said no, and 42.4% said occasionally.

Three-quarters of respondents cited the risk function as a channel by which information, intelligence and advice on risk reaches senior management. Despite that positive, only 17% of those polled described communication between the C-suite and the CRO as being comprehensive or nearly so; 29% expressed concern about a “good news culture” that meant management did not receive unvarnished information on risk; and 40% said their organization has not yet set up a broad-based, cross-functional risk committee.

Asked if the C-suite has developed a process for determining the organization’s risk appetite, 47.1% of those polled responded yes while 52.9% responded no. With regard to whether or not the process for determining the organization’s risk appetite is communicated clearly to all levels of the organization, 59.2% said yes and 40.8% said no.

On the education side, most companies have education and review processes in place to keep the board and senior executives informed about risk exposures. Key risks are communicated to the C-suite regularly at 70% of organizations surveyed.

In addition, 56% of organizations reported that resources devoted to risk-related education and training have increased over the past three years for the chief risk office level and above. More specifically, 42.6% of respondents said yes, at all levels; 13.2% said yes, at the CRO level and above only; and 44.1% said no.

Less positive was the finding that companies have been slow to adopt risk-based incentives as part of compensation, with only 12% of respondents reporting that their organizations align risk management with executive pay. “These are not essentials for a successful risk management strategy, but they show risk management has room to grow in the C-suite,” FERMA board member Jo Willaert, corporate risk manager of Agfa-Gevaert, says in the statement.

The majority of organizations surveyed are also using analytics for risk management more than in the past three years, results indicate. To that question, 56.1% of respondents said yes, while 43.9% said no.

In 2014, FERMA plans to conduct its pan-European risk management benchmarking survey, which will delve further into some of the issues highlighted by the survey results.